summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/passdb/passdb.c53
-rw-r--r--source3/passdb/pdb_tdb.c2
-rw-r--r--source3/sam/idmap_tdb.c32
-rw-r--r--source3/sam/idmap_util.c230
4 files changed, 169 insertions, 148 deletions
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index c93577dc04..b13ecf7a33 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -428,59 +428,6 @@ NTSTATUS pdb_set_sam_sids(SAM_ACCOUNT *account_data, const struct passwd *pwd)
return NT_STATUS_OK;
}
-/******************************************************************
- * Get the free RID base if idmap is configured, otherwise return 0
- ******************************************************************/
-
-uint32 pdb_get_free_rid_base(void)
-{
- uint32 low, high;
- if (pdb_get_free_rid_range(&low, &high)) {
- return low;
- }
- return 0;
-}
-
-/******************************************************************
- * Get the the non-algorithmic RID range if idmap range are defined
- ******************************************************************/
-
-BOOL pdb_get_free_rid_range(uint32 *low, uint32 *high)
-{
- uid_t u_low, u_high;
- gid_t g_low, g_high;
- uint32 id_low, id_high;
-
- if (lp_idmap_only()) {
- *low = BASE_RID;
- *high = -1;
- }
-
- if (lp_idmap_uid(&u_low, &u_high) && lp_idmap_gid(&g_low, &g_high)) {
- if (u_low < g_low) {
- id_low = u_low;
- } else {
- id_low = g_low;
- }
- if (u_high > g_high) {
- id_high = u_high;
- } else {
- id_high = g_high;
- }
-
- *low = fallback_pdb_uid_to_user_rid(id_low);
- if (fallback_pdb_user_rid_to_uid(-1) < id_high) {
- *high = -1;
- } else {
- *high = fallback_pdb_uid_to_user_rid(id_high);
- }
-
- return True;
- }
-
- return False;
-}
-
/**********************************************************
Encode the account control bits into a string.
length = length of string to encode into (including terminating
diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c
index 2715c3e3ca..3ed5d2d4d6 100644
--- a/source3/passdb/pdb_tdb.c
+++ b/source3/passdb/pdb_tdb.c
@@ -754,7 +754,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd,
if (!(user_rid = pdb_get_user_rid(newpwd))) {
if ((flag & TDB_INSERT) && tdb_state->permit_non_unix_accounts) {
uint32 lowrid, highrid;
- if (!pdb_get_free_rid_range(&lowrid, &highrid)) {
+ if (!idmap_get_free_rid_range(&lowrid, &highrid)) {
/* should never happen */
DEBUG(0, ("tdbsam: something messed up, no high/low rids but nua enabled ?!\n"));
ret = False;
diff --git a/source3/sam/idmap_tdb.c b/source3/sam/idmap_tdb.c
index 13e3affbd6..f85d2db086 100644
--- a/source3/sam/idmap_tdb.c
+++ b/source3/sam/idmap_tdb.c
@@ -301,30 +301,30 @@ static NTSTATUS db_idmap_init(void)
}
/* Create high water marks for group and user id */
- if (tdb_fetch_int32(idmap_tdb, HWM_USER) == -1) {
- if (tdb_store_int32(idmap_tdb, HWM_USER, idmap_state.uid_low) == -1) {
- DEBUG(0, ("idmap_init: Unable to initialise user hwm in idmap database\n"));
- return NT_STATUS_INTERNAL_DB_ERROR;
- }
- }
-
- if (tdb_fetch_int32(idmap_tdb, HWM_GROUP) == -1) {
- if (tdb_store_int32(idmap_tdb, HWM_GROUP, idmap_state.gid_low) == -1) {
- DEBUG(0, ("idmap_init: Unable to initialise group hwm in idmap database\n"));
- return NT_STATUS_INTERNAL_DB_ERROR;
- }
- }
-
if (!lp_idmap_uid(&idmap_state.uid_low, &idmap_state.uid_high)) {
DEBUG(0, ("idmap uid range missing or invalid\n"));
DEBUGADD(0, ("idmap will be unable to map foreign SIDs\n"));
+ } else {
+ if (tdb_fetch_int32(idmap_tdb, HWM_USER) == -1) {
+ if (tdb_store_int32(idmap_tdb, HWM_USER, idmap_state.uid_low) == -1) {
+ DEBUG(0, ("idmap_init: Unable to initialise user hwm in idmap database\n"));
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+ }
}
-
+
if (!lp_idmap_gid(&idmap_state.gid_low, &idmap_state.gid_high)) {
DEBUG(0, ("idmap gid range missing or invalid\n"));
DEBUGADD(0, ("idmap will be unable to map foreign SIDs\n"));
+ } else {
+ if (tdb_fetch_int32(idmap_tdb, HWM_GROUP) == -1) {
+ if (tdb_store_int32(idmap_tdb, HWM_GROUP, idmap_state.gid_low) == -1) {
+ DEBUG(0, ("idmap_init: Unable to initialise group hwm in idmap database\n"));
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+ }
}
-
+
return NT_STATUS_OK;
}
diff --git a/source3/sam/idmap_util.c b/source3/sam/idmap_util.c
index b282d2ef83..3086ee2113 100644
--- a/source3/sam/idmap_util.c
+++ b/source3/sam/idmap_util.c
@@ -22,35 +22,119 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_IDMAP
+
+/******************************************************************
+ * Get the free RID base if idmap is configured, otherwise return 0
+ ******************************************************************/
+
+uint32 idmap_get_free_rid_base(void)
+{
+ uint32 low, high;
+ if (idmap_get_free_rid_range(&low, &high)) {
+ return low;
+ }
+ return 0;
+}
+
+BOOL idmap_check_ugid_is_in_free_range(uint32 id)
+{
+ uint32 low, high;
+
+ if (!idmap_get_free_ugid_range(&low, &high)) {
+ return False;
+ }
+ if (id < low || id > high) {
+ return False;
+ }
+ return True;
+}
+
+BOOL idmap_check_rid_is_in_free_range(uint32 rid)
+{
+ uint32 low, high;
+
+ if (!idmap_get_free_rid_range(&low, &high)) {
+ return False;
+ }
+ if (rid < low || rid > high) {
+ return False;
+ }
+ return True;
+}
+
+/******************************************************************
+ * Get the the non-algorithmic RID range if idmap range are defined
+ ******************************************************************/
+
+BOOL idmap_get_free_rid_range(uint32 *low, uint32 *high)
+{
+ uint32 id_low, id_high;
+
+ if (lp_idmap_only()) {
+ *low = BASE_RID;
+ *high = (uint32)-1;
+ }
+
+ if (!idmap_get_free_ugid_range(&id_low, &id_high)) {
+ return False;
+ }
+
+ *low = fallback_pdb_uid_to_user_rid(id_low);
+ if (fallback_pdb_user_rid_to_uid((uint32)-1) < id_high) {
+ *high = (uint32)-1;
+ } else {
+ *high = fallback_pdb_uid_to_user_rid(id_high);
+ }
+
+ return True;
+}
+
+BOOL idmap_get_free_ugid_range(uint32 *low, uint32 *high)
+{
+ uid_t u_low, u_high;
+ gid_t g_low, g_high;
+
+ if (!lp_idmap_uid(&u_low, &u_high) || !lp_idmap_gid(&g_low, &g_high)) {
+ return False;
+ }
+ if (u_low < g_low) {
+ *low = u_low;
+ } else {
+ *low = g_low;
+ }
+ if (u_high < g_high) {
+ *high = g_high;
+ } else {
+ *high = u_high;
+ }
+ return True;
+}
+
/*****************************************************************
*THE CANONICAL* convert uid_t to SID function.
Tries winbind first - then uses local lookup.
Returns SID pointer.
*****************************************************************/
-DOM_SID *uid_to_sid(DOM_SID *psid, uid_t uid)
+DOM_SID *uid_to_sid(DOM_SID *sid, uid_t uid)
{
unid_t id;
DEBUG(10,("uid_to_sid: uid = [%d]\n", uid));
- id.uid = uid;
- if (NT_STATUS_IS_OK(idmap_get_sid_from_id(psid, id, ID_USERID))) {
- DEBUG(10, ("uid_to_sid: sid = [%s]\n", sid_string_static(psid)));
- return psid;
+ if (idmap_check_ugid_is_in_free_range(uid)) {
+ id.uid = uid;
+ if (NT_STATUS_IS_ERR(idmap_get_sid_from_id(sid, id, ID_USERID))) {
+ DEBUG(10, ("uid_to_sid: Failed to map sid = [%s]\n", sid_string_static(sid)));
+ return NULL;
+ }
+ } else {
+ sid_copy(sid, get_global_sam_sid());
+ sid_append_rid(sid, fallback_pdb_uid_to_user_rid(uid));
+
+ DEBUG(10,("uid_to_sid: algorithmic %u -> %s\n", (unsigned int)uid, sid_string_static(sid)));
}
-
- /* If mapping is not found in idmap try with traditional method,
- then stores the result in idmap.
- We may add a switch in future to allow smooth migrations to
- idmap-only db ---Simo */
-
- sid_copy(psid, get_global_sam_sid());
- sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid));
-
- DEBUG(10,("uid_to_sid: algorithmic %u -> %s\n", (unsigned int)uid, sid_string_static(psid)));
-
- return psid;
+ return sid;
}
@@ -60,34 +144,31 @@ DOM_SID *uid_to_sid(DOM_SID *psid, uid_t uid)
Returns SID pointer.
*****************************************************************/
-DOM_SID *gid_to_sid(DOM_SID *psid, gid_t gid)
+DOM_SID *gid_to_sid(DOM_SID *sid, gid_t gid)
{
GROUP_MAP map;
unid_t id;
DEBUG(10,("gid_to_sid: gid = [%d]\n", gid));
+ if (idmap_check_ugid_is_in_free_range(gid)) {
id.gid = gid;
- if (NT_STATUS_IS_OK(idmap_get_sid_from_id(psid, id, ID_GROUPID))) {
- DEBUG(10, ("gid_to_sid: sid = [%s]\n", sid_string_static(psid)));
- return psid;
- }
-
- /* If mapping is not found in idmap try with traditional method,
- then stores the result in idmap.
- We may add a switch in future to allow smooth migrations to
- idmap-only db ---Simo */
-
- if (pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
- sid_copy(psid, &map.sid);
+ if (NT_STATUS_IS_ERR(idmap_get_sid_from_id(sid, id, ID_GROUPID))) {
+ DEBUG(10, ("gid_to_sid: Failed to map sid = [%s]\n", sid_string_static(sid)));
+ return NULL;
+ }
} else {
- sid_copy(psid, get_global_sam_sid());
- sid_append_rid(psid, pdb_gid_to_group_rid(gid));
- }
+ if (pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
+ sid_copy(sid, &map.sid);
+ } else {
+ sid_copy(sid, get_global_sam_sid());
+ sid_append_rid(sid, pdb_gid_to_group_rid(gid));
+ }
- DEBUG(10,("gid_to_sid: algorithmic %u -> %s\n", (unsigned int)gid, sid_string_static(psid)));
+ DEBUG(10,("gid_to_sid: algorithmic %u -> %s\n", (unsigned int)gid, sid_string_static(sid)));
+ }
- return psid;
+ return sid;
}
/*****************************************************************
@@ -97,37 +178,32 @@ DOM_SID *gid_to_sid(DOM_SID *psid, gid_t gid)
was done correctly, False if not. sidtype is set by this function.
*****************************************************************/
-BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid)
+BOOL sid_to_uid(const DOM_SID *sid, uid_t *uid)
{
+ uint32 rid;
unid_t id;
int type;
- DEBUG(10,("sid_to_uid: sid = [%s]\n", sid_string_static(psid)));
+ DEBUG(10,("sid_to_uid: sid = [%s]\n", sid_string_static(sid)));
+
+ if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) {
+ if (!idmap_check_rid_is_in_free_range(rid)) {
+ if (!fallback_pdb_rid_is_user(rid)) {
+ DEBUG(3, ("sid_to_uid: RID %u is *NOT* a user\n", (unsigned)rid));
+ return False;
+ }
+ *uid = fallback_pdb_user_rid_to_uid(rid);
+ return True;
+ }
+ }
type = ID_USERID;
- if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &type, psid))) {
+ if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &type, sid))) {
DEBUG(10,("sid_to_uid: uid = [%d]\n", id.uid));
- *puid = id.uid;
+ *uid = id.uid;
return True;
}
- if (sid_compare_domain(get_global_sam_sid(), psid) == 0) {
- BOOL result;
- uint32 rid;
-
- DEBUG(10,("sid_to_uid: sid is local [%s]\n", sid_string_static(get_global_sam_sid())));
-
- if (!sid_peek_rid(psid, &rid)) {
- DEBUG(0, ("sid_to_uid: Error extracting RID from SID\n!"));
- return False;
- }
- if (!fallback_pdb_rid_is_user(rid)) {
- DEBUG(3, ("sid_to_uid: RID %u is *NOT* a user\n", (unsigned)rid));
- return False;
- }
- *puid = fallback_pdb_user_rid_to_uid(rid);
- return True;
- }
return False;
}
@@ -138,46 +214,44 @@ BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid)
was done correctly, False if not.
*****************************************************************/
-BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid)
+BOOL sid_to_gid(const DOM_SID *sid, gid_t *gid)
{
+ uint32 rid;
unid_t id;
int type;
- DEBUG(10,("sid_to_gid: sid = [%s]\n", sid_string_static(psid)));
-
- type = ID_GROUPID;
- if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &type, psid))) {
- DEBUG(10,("sid_to_gid: gid = [%d]\n", id.gid));
- *pgid = id.gid;
- return True;
- }
+ DEBUG(10,("sid_to_gid: sid = [%s]\n", sid_string_static(sid)));
- if (sid_compare_domain(get_global_sam_sid(), psid) == 0) {
+ if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) {
GROUP_MAP map;
BOOL result;
- if (pdb_getgrsid(&map, *psid, MAPPING_WITHOUT_PRIV)) {
+ if (pdb_getgrsid(&map, *sid, MAPPING_WITHOUT_PRIV)) {
/* the SID is in the mapping table but not mapped */
if (map.gid==(gid_t)-1)
return False;
- *pgid = map.gid;
+ *gid = map.gid;
return True;
} else {
- uint32 rid;
-
- if (!sid_peek_rid(psid, &rid)) {
- DEBUG(0, ("sid_to_gid: Error extracting RID from SID\n!"));
- return False;
- }
- if (fallback_pdb_rid_is_user(rid)) {
- DEBUG(3, ("sid_to_gid: RID %u is *NOT* a group\n", (unsigned)rid));
- return False;
+ if (!idmap_check_rid_is_in_free_range(rid)) {
+ if (fallback_pdb_rid_is_user(rid)) {
+ DEBUG(3, ("sid_to_gid: RID %u is *NOT* a group\n", (unsigned)rid));
+ return False;
+ }
+ *gid = pdb_group_rid_to_gid(rid);
+ return True;
}
- *pgid = pdb_group_rid_to_gid(rid);
}
}
+ type = ID_GROUPID;
+ if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &type, sid))) {
+ DEBUG(10,("sid_to_gid: gid = [%d]\n", id.gid));
+ *gid = id.gid;
+ return True;
+ }
+
return False;
}